Re: intercepting system calls

• Previous message: Kurt P. Hundeck: "Re: linux-security-module digest, Vol 1 #12 - 7 msgs"
• In reply to: David Wagner: "intercepting system calls"
• Next in thread: Jesse Pollard: "intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 13 Apr 2001, David Wagner wrote:

> >Yep.  Execve is a pretty straight forward example though... As long as
> >you are trying to augment the system call and not replace it, the
> >argument decoding you do is pretty straight forward.
>
> Did you implement this in the kernel on Linux?  How did you deal
> with the fact that the implementation sys_execve() reads from its
> caller's stack frame?  Due to this issue, I found that just putting
> a wrapper around sys_execve() doesn't work, and I essentially had
> to cut-and-paste code from arch/i386/kernel/process.c.  Do you have
> a better solution?

Um, depends on your definition of "better".

Basically, we started by doing pretty much the same thing... The
replacement stubs for fork() and exec() both passed a pointer to the
stack frame as an extra argument and the "real" versions of the system
call copied heavily from process.c.

Then our low-level guy redid our interposition in assembly.  He ended
up managing to have no stack footprint when we called the original
system call, so we no longer needed to copy anything... Of course,
that's not portable at all.

> Can you give any examples?  In Janus, we pushed all these checks
> to open(), but are there some important cases where you can't do this?

The follwing is taken from one of our sample wrappers.  Its evil, but cool:

wrapper dbfencrypt {
    ...
    linux::oattr{fileop&&fdretop} post { /* open et. all */
        if ($fdret >= 0 && /* filename ends in a token character */ ) {
            WQL {
                insert into active_files values ($fdret, _pid);
            };
        }
    }
    linux::op{write} pre {
        DBROW::active_files_table row;
        WQL {
            select into row from active_files where
                .pid = _pid and .fd = $fd;
        };
        if (!row.isempty()) {
            /* Encrypt data en-route to system call. */
        }
    }
    linux::op{read} pre {
        DBROW::active_files_table row;
        WQL {
            select into row from active_files where
                .pid = _pid and .fd = $fd;
        };
        if (!row.isempty()) {
            /* Decrypt data en-route to system call. */
        }
    }
}

Basically, for access control, intercepting "open(2)" is fine.. But
we wanted to let you have more fun than just access control

Doug
-- 
dougkat_private
dkilpatrat_private



_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Douglas Kilpatrick: "Re: intercepting system calls"
• Previous message: Kurt P. Hundeck: "Re: linux-security-module digest, Vol 1 #12 - 7 msgs"
• In reply to: David Wagner: "intercepting system calls"
• Next in thread: Jesse Pollard: "intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 16:08:19 PDT